IT leaders must expand cybersecurity training programs beyond phishing awareness to avoid major blind spots emerging which could lead to security breaches, according to industry experts.
Speaking at an Infosecurity Europe panel debate today, former Bank of Ireland CISO, Flavius Plesu, claimed that phishing accounts for only around 5% of data breaches and leaks. But even if training is largely effective, it only needs one email to get through to let the attackers in — something likely to happen 99.9% of the time if they use sophisticated targeted techniques, he added.
“The industry is excited about phishing awareness because for the first time ever we can measure the impact of training,” argued Plesu, who is now CEO of security start-up OutThink.
“But an exclusive focus on phishing could leave a lot of blind spots and will surprise [the organization] in a negative way.”
HSBC’s Europe and UK CISO, Paula Kershaw, largely agreed, claiming phishing awareness exercises are “an important tool in the box, but not the only tool.”
It’s very important to do as an organization, but running a phishing awareness campaign alone doesn’t protect you,” she added.
Security training could also include elements such as: password management; safe internet usage, data handling and downloads; and compliance requirements, for example.
Staff training should be combined with sandboxing, threat intelligence and other security controls for true defense-in-depth, argued Kershaw.
Misunderstandings about the importance of phishing awareness are part of a wider problem with staff cybersecurity training in that much of it is based on pseudo-science and is therefore unmeasured, added Plesu.
“I’ve learned to hate security awareness training because of the false assumptions and false promises,” he argued. “The false assumption is that pushing more knowledge into the organization will result in more effective risk mitigation.”
Especially in large, complex organizations, it’s vital to measure the core components of any program in real-time and at scale, he said. These include: security awareness; the intention of individuals to comply; the self-efficacy of programs, that is, whether advice can be practically implemented; and cost and productivity impact.